Ansible - Copy an ansible vault encrypted file to managed nodes

Generally speaking, when you have sensitive data that needs to be encrypted, there are two main approaches.

  1. Store the encrypted data in a variable
  2. Copy the encrypted file to each managed node

By and far, option 1 is definitely preferred. However, if for some reason option 1 is not feasible, this article describes how to copy an encrypted file to each managed node.

Let's say you used the ansible-vault create command to create a file named passwords.yml that contains sensitive data, perhaps something like this.

test_password: itsasecret
prod_password: hGn4!kD98A

 

Attempting to view the passwords.yml file using the cat command will display something like this. The ansible-vault view command can be used to view the content of the passwords.yml file.

$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

 

Here is an example of how passwords.yml could be used with the copy module.

---
- hosts: all
  tasks:
    - name: copy passwords.yml to the /usr/local/secure directory
      copy:
        src: passwords.yml
        dest: /usr/local/secure/passwords.yml
        owner: root
        group: root
        mode: 0600
...

 

Let's say you issue the ansible-playbook command like this.

ansible-playbook foo.yml

 

The following should be returned.

TASK [copy passwords.yml to the /usr/local/secure directory] 
fatal: [server1.example.com]: FAILED! => {"msg": "A vault password or secret must be specified to decrypt passwords.yml"}

 

Let's append the password that was used to encrypt passwords.yml to a file such as .vault_password.txt.

echo "itsasecret" > .vault_password.txt

 

And then update .vault_password.txt so that only the owner of the .vault_password.txt file can read and write to the .vault_password.txt file.

chmod 0600 .vault_password.txt

 

The  --vault-password-file command line option can then be included on the command line.

ansible-playbook foo.yml --vault-password-file .vault_password.txt

 

On each managed node that passwords.yml was copied to, the /usr/local/secure/passwords.yml file will be unencrypted, so that the /usr/local/secure/passwords.yml file contains the following.

test_password: itsasecret
prod_password: hGn4!kD98A

 

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 91e2d in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |